Governance

GDPR

What it is, why it matters for businesses, and the questions worth asking before you adopt.

What it is

The definition

The General Data Protection Regulation (GDPR) is EU law that governs how personal data is collected, processed, stored, and shared. It applies to any business that handles EU residents' data, regardless of where the business is based.

Why it matters

Why businesses care

When you use AI (especially cloud AI), you may be sending personal data to third parties. You need a lawful basis for processing, a Data Processing Agreement (DPA) with providers, and processes for data subject rights (access, erasure, portability). Non-compliance can mean fines up to 4% of global turnover.

Example workframe

A starting checklist

Best practice

  • Document a lawful basis for each AI use case before go-live
  • Sign DPAs with all AI providers before sending personal data
  • Map data flows: what goes where, who processes it
  • Keep a record of processing activities (ROPA) for AI use cases
  • Update privacy notices when you add new AI processing

Areas to explore

  • Data inventory: which systems feed the AI and what personal data do they hold?
  • Provider contracts: do DPAs cover sub-processors and model training?
  • Retention: how long does the AI provider keep data? Can you enforce deletion?
  • Cross-border transfers: if data leaves UK/EU, what safeguards apply?
  • Subject rights: can you extract, correct, or delete data the AI has seen?

Suggestions

  • Run a Data Protection Impact Assessment (DPIA) for high-risk AI use cases
  • Assign a data protection lead for AI procurement decisions
  • Build a checklist for new AI tools: DPA, lawful basis, notice update
Key questions

What to ask before you adopt

  • What personal data does our AI use case process?
  • Do we have a lawful basis for processing?
  • Have we signed a DPA with our AI provider?
  • Where is data stored? Does it meet residency requirements?
  • Can we respond to data subject requests (access, erasure)?
  • Is our privacy notice up to date?
Further reading

Sources worth your time

Need a governance assessment?

We'll map your AI plan against GDPR, security, and sovereignty constraints, and produce a report you can hand to compliance.

Book a 30-min discovery call Back to governance topics